>Number: 98219
>Category: kern
>Synopsis: pf needs a way of matching on decapsulated IPSEC packets
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed May 31 15:00:36 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Andrianov
>Release: 6.0
>Organization:
>Environment:
FreeBSD 6.0-RELEASE #0
>Description:
It seems there is no way to distinguis ordinary packet arrived from the wire from the one decapsulated from IPSEC ESP packet. When kernel is build with IPSEC_FILTERGIF, decapsulated packet appears arriving on the same interface on which original ESP packet arrived.
Normally you have to enable ESP packets:
pass in quick on fxp0 proto esp from $vpn_peer to fxp0:any
But to avoid dropping decapsulated packets by firewall, you also need
pass in quick on fxp0 from $vpn_remote_net to $local_net
But this rule will also allow any packet with spoofed IPs pretending to be from vpn_net to local_net to be accepted and processed.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: